18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

Thursday, May 14, 2026 at 06:00 AM UTC·Source: The Hacker News

Updated: Thursday, May 14, 2026 at 07:00 AM UTC

Executive Summary

Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a

Analysis

Indicators of Compromise (1)

CVE (1)

CVE-2026-42945

NVD MITRE CVE

Source Attribution

Originally published by The Hacker News on May 14, 2026.

Related Threats

LOWVulnerabilityNEW

Meet Fragnesia, the third Linux kernel vulnerability in a month

Linux admins reeling from handling last month’s CopyFail and last week’s Dirty Frag kernel vulnerabilities have a new headache to deal with: Fragnesia. “This is a significant vulnerability,” Robert Beggs , head of incident response firm DigitalDefence, told CSO . “It is bypassing traditional filesystem permissions that are present and enforced (for example, ‘file is owned by root’, or ‘file is rea

CVE-2026-46300

41m agoCSO Online

HIGHVulnerabilityNEW

Maximum Severity Cisco SD-WAN Bug Exploited in the Wild

This is the second time this year a threat actor has leveraged a CVSS 10.0 vulnerability in Cisco's network control system.

45m agoDark Reading

MEDIUMVulnerabilityNEW

White House cyber official: identity security matters more than ever in the age of AI

While AI tools present unique cybersecurity threats, they still rely on poor identity security by organizations to do the most damage, a White House official said Thursday. The post White House cyber official: identity security matters more than ever in the age of AI appeared first on CyberScoop .

55m agoCyberScoop